[wp-trac] [WordPress Trac] #39499: Migrate Password Hashing from 8192 rounds of salted MD5 to Argon2i v1.3
WordPress Trac
noreply at wordpress.org
Fri Jan 6 20:38:57 UTC 2017
#39499: Migrate Password Hashing from 8192 rounds of salted MD5 to Argon2i v1.3
------------------------------------------+------------------------------
Reporter: paragoninitiativeenterprises | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Resolution:
Keywords: | Focuses:
------------------------------------------+------------------------------
Comment (by paragoninitiativeenterprises):
> Are any other widely used projects using it yet?
Not many that I haven't had a hand in.
> Would WP be the early adopter here?
No, the early adopter would be Airship:
https://paragonie.com/project/airship
> You will only have 1 CPU core available.
> You should not use more than 10MB of memory.
> Hashing should not take longer than 0.5 seconds or it affects the user
experience.
Well, I was going to shoot for at least (16 MB of memory, 0.125 seconds)
on a reasonable hardware configuration.
Libsodium's CRYPTO_PWHASH_*_INTERACTIVE constants define 32 MB of memory
usage and 4 rounds on 1 core.
We must always use at least 3 rounds.
If most setups can get away with the _INTERACTIVE configuration, I'd
recommend that. But as an insurance/stopgap, an early adoption at a lower
memory threshold would be better than sticking with MD5 forever.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39499#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list